Skill

recon

Multi-phase target reconnaissance combining passive and active techniques for comprehensive attack surface mapping

Install

Run in your terminal

npx claudepluginhub overtimepog/greyhatcc --plugin greyhatcc

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.3k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.3k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.3k

Stats

Stars0

Forks0

Last CommitFeb 25, 2026

Actions

View Source View Plugin View on GitHub View README

Reconnaissance Workflow

You are executing the greyhatcc reconnaissance skill. Perform a comprehensive multi-phase recon on the provided target.

Usage

/greyhatcc:recon <target> where target is a domain, IP, or URL.

Smart Input

{{ARGUMENTS}} is parsed automatically — just provide a target in any format:

URL (https://example.com/path) → extracted domain + full URL used as target
Domain (example.com) → https:// prepended, used as target
IP (1.2.3.4) → used directly for infrastructure testing
H1 URL (hackerone.com/program) → program handle extracted, scope loaded via H1 API
Empty → error: "Usage: /greyhatcc:<skill> <target>"

No format specification needed from user — detect and proceed.

Context Loading (MANDATORY)

Before executing this skill:

Load scope: .greyhatcc/scope.json — verify target is in scope, note exclusions
Load hunt state: .greyhatcc/hunt-state.json — check active phase, resume context
Load program files: findings_log.md, tested.json, gadgets.json — avoid duplicating work
Load memory: Check MEMORY.md for target-specific notes from previous sessions

Phase 1: Passive Reconnaissance

CT Log Enumeration: Query crt.sh for subdomains

Use WebFetch: https://crt.sh/?q=%25.<domain>&output=json

DNS Records: Use MCP tool greyhatcc_sec__dns_records for comprehensive DNS data
WHOIS: Use MCP tool greyhatcc_sec__whois_lookup for registration data
Shodan Intelligence: Use MCP tool greyhatcc_s__shodan_host_lookup or greyhatcc_s__shodan_search
Technology Fingerprinting: Use MCP tool greyhatcc_sec__header_analysis for HTTP headers
WAF Detection: Use MCP tool greyhatcc_sec__waf_detect to identify protections
Wayback Machine: Use WebFetch on https://web.archive.org/cdx/search/cdx?url=<domain>/*&output=text&fl=original&collapse=urlkey&limit=500

Phase 2: Active Reconnaissance

Port Scanning: Run nmap via Bash (optionally use run_in_background for long full scans)
- Quick: nmap -Pn -sV --top-ports 1000 <target>
- Full: nmap -Pn -sV -sC -p- <target> (optionally background — your choice)
SSL/TLS Analysis: Use MCP tool greyhatcc_sec__ssl_analysis
Service Enumeration: Cross-reference detected services with Shodan data

Phase 3: Analysis & Output

Delegate to recon-specialist agent via Task tool for standard recon, or recon-specialist-high for complex targets.

Save all outputs to <target_dir>/recon/:

subdomains.txt - Discovered subdomains
dns_records.md - DNS data
tech_stack.md - Technology fingerprint
shodan_<ip>.md - Shodan intelligence
recon_summary.md - Executive summary with attack surface priorities

Agent Dispatch Tables

Parallel dispatch is optional. Use it when tasks are independent and speed matters. Sequential is the default.

Phase 1 Dispatch (Core Recon)

Agent	Task	Tier
`subdomain-worker`	CT logs + subdomain enumeration	Haiku
`fingerprint-worker`	Tech fingerprinting + header analysis	Haiku
`shodan-worker`	Shodan host lookup + SSL cert search	Haiku
`cloud-worker`	S3/GCS/Azure bucket enumeration, Firebase discovery	Haiku
`osint-worker`	WAF/CDN detection + OSINT	Haiku

Phase 2 Dispatch (Deep Recon)

Agent	Task	Tier
`js-worker`	Download and analyze all JS bundles — extract endpoints, secrets, source maps	Sonnet
`takeover-worker`	Dangling CNAME/NS/MX subdomain takeover detection	Haiku
`portscan-worker`	Port scanning with service detection	Haiku
`subdomain-takeover`	BadDNS + dangling CNAME/NS/MX detection on all discovered subdomains	Sonnet
`network-analyst-low`	Port scanning + service enumeration on discovered IPs	Haiku
`osint-researcher-high`	Deep OSINT — employee enumeration, acquisition research, job posting analysis	Opus

Phase 3 Aggregation

After all agents complete, aggregate results with recon-specialist (Sonnet):

Merge all subdomain lists, deduplicate
Build unified tech stack profile
Cross-reference Shodan data with discovered services
Populate attack_plan.md with prioritized targets

Post-Recon Actions

After recon completes:

Update tested.json — record which recon tasks were performed
Update gadgets.json — add informational findings with chaining potential (e.g., internal IPs in DNS = SSRF targets, CSP bucket names = takeover candidates)
Trigger dependent skills — if JS bundles found, suggest /greyhatcc:js; if cloud assets found, suggest /greyhatcc:cloud; if dangling subdomains found, suggest /greyhatcc:takeover
Feed into attack plan — update attack_plan.md with prioritized targets based on recon findings

State Updates

After completing this skill:

Update tested.json — record what was tested (asset + vuln class)
Update gadgets.json — add any informational findings with provides/requires tags for chaining
Update findings_log.md — log any confirmed findings with severity
Update hunt-state.json if in active hunt — set lastActivity timestamp